1. Home
  2. Detection Strategies
  3. Behavioral Detection of Keylogging Activity Across Platforms

Behavioral Detection of Keylogging Activity Across Platforms

Technique Detected:  Keylogging | T1056.001

ID: DET0089
Domains: Enterprise
Analytics: AN0243, AN0244, AN0245, AN0246
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0243

Monitors suspicious usage of Windows API calls like SetWindowsHookEx, GetKeyState, or polling functions within non-UI service processes, combined with Registry or driver modifications.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
File Access (DC0055) WinEventLog:Security EventCode=4656
Service Creation (DC0060) WinEventLog:System EventCode=7045
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13
Mutable Elements
Field Description
TargetImage Scope to sensitive GUI/session processes like winlogon.exe or osk.exe
AccessMask Can be tuned to 0x1fffff for full-access injection detection
TimeWindow Tunable for sustained polling or multiple registry edits in short succession

AN0244

Detects non-system processes accessing /dev/input/* or issuing ptrace/evdev syscalls used for reading keystroke buffers directly.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open, read
OS API Execution (DC0021) auditd:SYSCALL ptrace, ioctl
Mutable Elements
Field Description
ProcessName Exclude known good applications (e.g. Xorg, GNOME Shell)
DevicePath Typically /dev/input/event*, but tunable to match custom input buses

AN0245

Detects unauthorized TCC access or use of Quartz Event Services (CGEventTapCreate) or IOHID for event tap installation within unexpected processes.

Log Sources
Data Component Name Channel
Process Metadata (DC0034) macos:unifiedlog subsystem=com.apple.TCC
Process Creation (DC0032) macos:osquery process_events OR launchd
Mutable Elements
Field Description
Service com.apple.inputmonitoring, com.apple.accessibility, etc.
ExecutablePath Tunable to exclude trusted endpoint monitoring tools

AN0246

Keylogging on legacy network devices via unauthorized system image modification or remote capture of console keystrokes (telnet, SSH) through altered firmware or man-in-the-middle key sniffing.

Log Sources
Data Component Name Channel
Firmware Modification (DC0004) networkdevice:syslog Image Upgrade / Configuration Change
Network Traffic Content (DC0085) NSM:Flow packet capture or DPI logs
Mutable Elements
Field Description
FirmwareVersion Baseline hash or expected version for config/image integrity
Protocol Scope to plaintext channels or low-assurance SSH versions